Re: [I] feat: As a user, I want to healthcheck add mtls support [apisix]

Sun, 04 Jan 2026 21:31:23 -0800 


YapWC commented on issue #12641:
URL: https://github.com/apache/apisix/issues/12641#issuecomment-3708995157

   > 2\. Implementation level: The `create_checker` function in 
`healthcheck_manager.lua` does not read and pass the upstream mTLS certificate 
configuration to the underlying `resty.healthcheck` library.
   
   We are aware that it is not passed in `create_checker` function but the test 
created by @laz-xyr did pass the ssl_cert and ssl_key.
   
   Test 1:
   ```
   ...
               local healthcheck = require("resty.healthcheck")
               local checker = healthcheck.new({
                   name = "testing",
                   shm_name = "test_shm",
                   events_module = events:get_healthcheck_events_module(),
                   ssl_cert = cert_data,
                   ssl_key = key_data,
                   checks = {
                   active = {
                           type = "https",
                           https_verify_certificate = false,
                           http_path = "/healthz",
                           healthy  = {
                               interval = 1,
                               successes = 3
                           },
                           unhealthy  = {
                               interval = 1,
                               http_failures = 3,
                           }
                       },
                   }
               })
   ...
   ```
   And it suppose to be able to perform mTLS as the `resty.healtcheck` lib 
actual do support mTLS, right?
   
   The problem here is that even after passing the required variable for mTLS, 
it was not performed and failed. Therefore, as suggested by @laz-xyr this could 
be where the potential issue lies.
   
   > [@YapWC](https://github.com/YapWC) 
[@Baoyuantop](https://github.com/Baoyuantop) The official recommendation for 
the mtls handshake is tcpsock:setclientcert and tcpsock:sslhandshake. The 
resty.healthcheck library is also implemented using this method.
   > 
   > However, apisix additionally implements the 
tcpsock:tlshandshake([api7/apisix-nginx-module#1](https://github.com/api7/apisix-nginx-module/pull/1))
 method.
   > 
   > Local test result: Method tcpsock:tlshandshake can handle the mtls 
handshake, while tcpsock:sslhandshake will fail.
   > 
   > But sslhandshake(in the above test 2) can mtls handshake in the original 
openresty environment, I don't know where apisix broke this function
   
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to